The researchers will also release new techniques that use search engines to identify security vulnerabilities in software and to pinpoint malicious websites hosting malware. Building on their previous research and tools introduced over the last two years, Brown and Ragan have built the industry’s largest database of search engine-exposed security vulnerabilities and threats and will propose updates to their existing base of open source intelligence-gathering tools.

The tools and research, which Brown and Ragan have named “Search Diggity,” will be introduced in a talk at the DEF CON 20 security conference in Las Vegas July 26-29.

“We’ve used these tools to find hundreds of vulnerabilities in our clients’ environments that they would not otherwise have known about,” said Brown, a managing partner at Stach & Liu, which provides security consulting and testing services for large enterprises. “Search engines like Google and Bing have the ability to expose an incredible amount of sensitive information and vulnerability data, and we believe it’s essential for enterprises to identify those weaknesses before the bad guys do. That’s why we’re releasing these tools at DEF CON, and making them available for free.”

Through their research of the search engines’ capabilities – some of them undocumented -- Brown and Ragan have developed a new round of software tools that can be used to identify security vulnerabilities and sensitive data not only on the enterprise’s own systems, but also on associated networks and cloud services. Among the tools that the researchers will unveil at DEF CON:

NotInMyBackYardDiggity – Most search engine hacking tools only search a single organization domain, which is a problem when users or affiliates are posting content to other domains that the organization does not control, such as cloud service providers. This tool makes it easy for security professionals to search all sites that may contain information about their enterprise – including sites such as Twitter, Dropbox, PasteBin, Google Docs, and even YouTube.

CloudDiggity Data Mining Tool Suite – Allows security professionals to download information mined from the Internet and quickly search it for sensitive data that may be vulnerable, such as Social Security numbers, credit card numbers, and passwords.

CodeSearchDiggity-Cloud Edition – Replaces a recently-discontinued tool previously offered by Google, enabling users to search through open source code. It enables security professionals to search for vulnerabilities in open source software code -- which is often re-purposed and used in other environments – to help prevent flaws from being passed around through code reuse.

PortScanDiggity – Uses Google to search the Internet by domains, hostnames, and IP addresses, enabling security professionals to identify open network ports that may be vulnerable to attack. Security professionals can passively and instantaneously get results on exposed Web services that have been indexed by Google.

BingBinaryMalwareSearch (BBMS) – Uses a lesser-known feature of Bing to search for executable files that contain malware and identifies the source of the distributed files.

AlertDiggityDB – A database that contains vulnerabilities indexed by Google, Bing, and other search engines over the past two years. Under construction since April 2010, AlertDiggityDB is the largest repository of search engine-exposed vulnerabilities ever compiled and now is available to all users at no cost.

Diggity Dashboard – Analyzing more than 4 million entries in AlertDiggityDB, Diggity Dashboard enables security professionals to graphically view their own organizations’ data and potential vulnerabilities as they are mined from the database.

“With these tools, we’re giving security professionals an opportunity to identify and remediate security vulnerabilities and exposed data before an attacker can find and exploit them,” said Ragan, senior security associate at Stach & Liu. “These tools will help organizations stay one step ahead.”

About Stach & Liu
Stach & Liu provides IT security consulting services to help companies secure their business, networks, and applications. Based in Phoenix, Ariz., the privately-held company was founded in 2005 by a team of industry leading experts to help companies secure their businesses, networks, and applications. Its professionals have worked in government intelligence, the Fortune 100, and Big 4 consulting and possess over 100 years of combined security experience. In addition to authoring several best-selling security books, writing numerous industry articles, and being cited in well-respected journals, the Stach & Liu team has been presenting its security research for over a decade. Stach & Liu speakers have made presentations at many top security industry venues, including BlackHat, DefCon, RSA, InfoSecWorld, OWASP, SANS, and Microsoft BlueHat.